How to use Server.htmlEncode / Server.htmlDecode without compromising security?

QUESTION

How to submit html code to a textbox and output as text without compromising security?

This is what I'm currently trying:

DATA GOES IN (SUBMITTED INTO TEXTBOX)

Dim txtInput As String = Server.HtmlEncode(Me.txtInput.Text)

DATA COMES OUT (READ AS TEXT ON PAGE)

txtOutput.Text = Server.HtmlDecode(MyText)

Desired output is for the format to be the same as initially entered.

Solution

You should HtmlEncode text you are setting in a textbox:

txtOutput.Text = Server.HtmlEncode(MyText)

And HtmlDecode text you are getting from a textbox:

MyText = Server.HtmlDecode(txtOutput.Text)

If you're storing the data in sql then I recommend using parameterized queries as well. It handles most security concerns, such as SQL injection, for you.

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d
SignalR dispose of HubConnection
Microservices using .net Framework 4 and above ( instead of .NET Core)
How to change the IIS Express development port on a WebForms project in VS2022
Why do ASP.Net server control declarations require the runat="server" attribute?
Do C# static members get shared among calls to a Web site?
How to trigger an OnClieck event for a ICON in ASP.NET C#
Visual Studio thinks my controls are missing, but they're not. "The name xx does not exist in the current context"
Could not get the data from IQueryable<object>
Compile Error CS0433 on pre-compiled ASP.NET 2.0 site
Fill GridView with IEnumerable objects
Anonymous Type Appears in both Error
Why asp:button is not working inside the Modal popup ASP.NET?
Add a checkbox to enable/disable gridview entries
Error Unable to start debugging on the web server
Return the user's role when we authenticate with ASP.NET WebApi
Visual Studio 2022 not running XUnit tests
asp.net cannot publish the asp namespace?
How do you stop source file information appearing in a Release?
Connect device on LAN to ASP.NET Core Web API
Docker Compose - Ocelot Api GetWay - Call API
How to send multipart/form-data to ASP.NET Core Web API?
How to suppress c# compiler warning in a razor file?
Validation with data annotations does not work
How can I disable the Yellow Highlighting of @ in Blazor Visual Studio?
ASP .NET Singleton
Using Fetch in JS to call a server-side method (ASP.NET)
How to retrieve a lot of data in my asp .NET app efficiently?
How to get a username while on a server
Why is my ASP.NET application throwing a ThreadAbortException?